Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".Rather than get into details here, I urge you to check out this announcement post. It's a massive upgrade, and well worth checking out. -E

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

We have a CP fw running R77.30 and it sits between the Corp and production networks.

We have a web server that sits behind the fw in the production network, which a select band of Corp users are required to access.

I want to be able to nail down access to only this select group, and hand off 2fa to an RSA server that we already have sitting in our Corp network.

Is this possible on the CP, and if so, what software blade is required to enable these services?

Thanks in advance

James

You can make use of AD groups through Identity Awareness, but I don't think traffic will trigger additional authentication requirements. The whole point of that feature is to make the firewall aware of user identity with little to no interaction from the user. Of course, if you require those users provide token codes (or use a Smart Card, or whatever) to log in to their workstations, it could definitely work.

I think the way I would do this is with remote access VPN and Office Mode. You should be able to set the remote access encryption domain to cover only the network in question, then only allow traffic to it from the Office Mode network.

Mobile Access Blade should also work here.
Depending on the nature of the website, it may work without installing a VPN client.

I missed that it was a website. Mobile Access should definitely work for that. It's essentially a "reverse proxy" (still seems like an unhelpful term to me) which allows you to wrap TLS and other authentication requirements around a website. I don't see mention of X-Forwarded-For in the documentation I've checked, so it may make your web server logs weird. Correlating the firewall logs with the web server logs should be easy enough as long as you have synchronized clocks.

For arbitrary traffic (like SSH or MSRDP), I still think the remote access VPN method would be be better.